typet c_typecheck_baset::enum_constant_type(
const mp_integer &min_value,
const mp_integer &max_value) const
{
if(config.ansi_c.mode==configt::ansi_ct::flavourt::VISUAL_STUDIO)
{
return signed_int_type();
}
else
{
// enum constants are at least 'int', but may be made larger.
// 'Packing' has no influence.
if(max_value<(mp_integer(1)<<(config.ansi_c.int_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.int_width-1)))
return signed_int_type();
else if(max_value<(mp_integer(1)<<config.ansi_c.int_width) &&
min_value>=0)
return unsigned_int_type();
else if(max_value<(mp_integer(1)<<config.ansi_c.long_int_width) &&
min_value>=0)
return unsigned_long_int_type();
else if(max_value<(mp_integer(1)<<config.ansi_c.long_long_int_width) &&
min_value>=0)
return unsigned_long_long_int_type();
else if(max_value<(mp_integer(1)<<(config.ansi_c.long_int_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.long_int_width-1)))
return signed_long_int_type();
else
return signed_long_long_int_type();
}
}
typet c_typecheck_baset::enum_underlying_type(
const mp_integer &min_value,
const mp_integer &max_value,
bool is_packed) const
{
if(config.ansi_c.mode==configt::ansi_ct::flavourt::VISUAL_STUDIO)
{
return signed_int_type();
}
else
{
if(min_value<0)
{
// We'll want a signed type.
if(is_packed)
{
// If packed, there are smaller options.
if(max_value<(mp_integer(1)<<(config.ansi_c.char_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.char_width-1)))
return signed_char_type();
else if(max_value<(mp_integer(1)<<(config.ansi_c.short_int_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.short_int_width-1)))
return signed_short_int_type();
}
if(max_value<(mp_integer(1)<<(config.ansi_c.int_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.int_width-1)))
return signed_int_type();
else if(max_value<(mp_integer(1)<<(config.ansi_c.long_int_width-1)) &&
min_value>=-(mp_integer(1)<<(config.ansi_c.long_int_width-1)))
return signed_long_int_type();
else
return signed_long_long_int_type();
}
else
{
// We'll want an unsigned type.
if(is_packed)
{
// If packed, there are smaller options.
if(max_value<(mp_integer(1)<<config.ansi_c.char_width))
return unsigned_char_type();
else if(max_value<(mp_integer(1)<<config.ansi_c.short_int_width))
return unsigned_short_int_type();
}
if(max_value<(mp_integer(1)<<config.ansi_c.int_width))
return unsigned_int_type();
else if(max_value<(mp_integer(1)<<config.ansi_c.long_int_width))
return unsigned_long_int_type();
else
return unsigned_long_long_int_type();
}
}
}
typet size_type()
{
// The size type varies. This is unsigned int on some systems,
// and unsigned long int on others,
// and unsigned long long on say Windows 64.
if(config.ansi_c.pointer_width==config.ansi_c.int_width)
return unsigned_int_type();
else if(config.ansi_c.pointer_width==config.ansi_c.long_int_width)
return unsigned_long_int_type();
else if(config.ansi_c.pointer_width==config.ansi_c.long_long_int_width)
return unsigned_long_long_int_type();
else
assert(false); // aaah!
}
void c_typecastt::implicit_typecast_arithmetic(
exprt &expr,
c_typet c_type)
{
typet new_type;
const typet &expr_type=ns.follow(expr.type());
switch(c_type)
{
case PTR:
if(expr_type.id()==ID_array)
{
new_type.id(ID_pointer);
new_type.subtype()=expr_type.subtype();
break;
}
return;
case BOOL: assert(false); // should always be promoted to int
case CHAR: assert(false); // should always be promoted to int
case UCHAR: assert(false); // should always be promoted to int
case SHORT: assert(false); // should always be promoted to int
case USHORT: assert(false); // should always be promoted to int
case INT: new_type=signed_int_type(); break;
case UINT: new_type=unsigned_int_type(); break;
case LONG: new_type=signed_long_int_type(); break;
case ULONG: new_type=unsigned_long_int_type(); break;
case LONGLONG: new_type=signed_long_long_int_type(); break;
case ULONGLONG: new_type=unsigned_long_long_int_type(); break;
case SINGLE: new_type=float_type(); break;
case DOUBLE: new_type=double_type(); break;
case LONGDOUBLE: new_type=long_double_type(); break;
case FLOAT128: new_type=ieee_float_spect::quadruple_precision().to_type(); break;
case RATIONAL: new_type=rational_typet(); break;
case REAL: new_type=real_typet(); break;
case INTEGER: new_type=integer_typet(); break;
case COMPLEX: return; // do nothing
default: return;
}
if(new_type!=expr_type)
do_typecast(expr, new_type);
}
void printf_formattert::process_format(std::ostream &out)
{
exprt tmp;
format_constantt format_constant;
format_constant.precision=6;
format_constant.min_width=0;
format_constant.zero_padding=false;
char ch=next();
if(ch=='0') // leading zeros
{
format_constant.zero_padding=true;
ch=next();
}
while(isdigit(ch)) // width
{
format_constant.min_width*=10;
format_constant.min_width+=ch-'0';
ch=next();
}
if(ch=='.') // precision
{
format_constant.precision=0;
ch=next();
while(isdigit(ch))
{
format_constant.precision*=10;
format_constant.precision+=ch-'0';
ch=next();
}
}
switch(ch)
{
case '%':
out << ch;
break;
case 'e':
case 'E':
format_constant.style=format_spect::stylet::SCIENTIFIC;
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), double_type()));
break;
case 'f':
case 'F':
format_constant.style=format_spect::stylet::DECIMAL;
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), double_type()));
break;
case 'g':
case 'G':
format_constant.style=format_spect::stylet::AUTOMATIC;
if(format_constant.precision==0)
format_constant.precision=1;
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), double_type()));
break;
case 's':
{
if(next_operand==operands.end())
break;
// this is the address of a string
const exprt &op=*(next_operand++);
if(op.id()==ID_address_of &&
op.operands().size()==1 &&
op.op0().id()==ID_index &&
op.op0().operands().size()==2 &&
op.op0().op0().id()==ID_string_constant)
out << format_constant(op.op0().op0());
}
break;
case 'd':
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), signed_int_type()));
break;
case 'D':
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), signed_long_int_type()));
break;
case 'u':
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), unsigned_int_type()));
break;
case 'U':
if(next_operand==operands.end())
break;
out << format_constant(
make_type(*(next_operand++), unsigned_long_int_type()));
break;
default:
out << '%' << ch;
}
}
void string_instrumentationt::do_format_string_write(
goto_programt &dest,
goto_programt::const_targett target,
const code_function_callt::argumentst &arguments,
unsigned format_string_inx,
unsigned argument_start_inx,
const std::string &function_name)
{
const exprt &format_arg = arguments[format_string_inx];
if(format_arg.id()==ID_address_of &&
format_arg.op0().id()==ID_index &&
format_arg.op0().op0().id()==ID_string_constant) // constant format
{
format_token_listt token_list;
parse_format_string(format_arg.op0().op0(), token_list);
unsigned args=0;
for(format_token_listt::const_iterator it=token_list.begin();
it!=token_list.end();
it++)
{
if(find(it->flags.begin(), it->flags.end(), format_tokent::ASTERISK)!=
it->flags.end())
continue; // asterisk means `ignore this'
switch(it->type)
{
case format_tokent::STRING:
{
const exprt &argument=arguments[argument_start_inx+args];
const typet &arg_type=ns.follow(argument.type());
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("format string buffer overflow in ");
comment += function_name;
assertion->location.set("comment", comment);
if(it->field_width!=0)
{
exprt fwidth = from_integer(it->field_width, unsigned_int_type());
exprt fw_1(ID_plus, unsigned_int_type());
exprt one = gen_one(unsigned_int_type());
fw_1.move_to_operands(fwidth);
fw_1.move_to_operands(one); // +1 for 0-char
exprt fw_lt_bs;
if(arg_type.id()==ID_pointer)
fw_lt_bs=binary_relation_exprt(fw_1, ID_le, buffer_size(argument));
else
{
index_exprt index;
index.array()=argument;
index.index()=gen_zero(unsigned_int_type());
address_of_exprt aof(index);
fw_lt_bs=binary_relation_exprt(fw_1, ID_le, buffer_size(aof));
}
assertion->make_assertion(fw_lt_bs);
}
else
{
// this is a possible overflow.
assertion->make_assertion(false_exprt());
}
// now kill the contents
invalidate_buffer(dest, target, argument, arg_type, it->field_width);
args++;
break;
}
case format_tokent::TEXT:
case format_tokent::UNKNOWN:
{
// nothing
break;
}
default: // everything else
{
const exprt &argument=arguments[argument_start_inx+args];
const typet &arg_type=ns.follow(argument.type());
goto_programt::targett assignment=dest.add_instruction(ASSIGN);
assignment->location=target->location;
exprt lhs(ID_dereference, arg_type.subtype());
lhs.copy_to_operands(argument);
exprt rhs=side_effect_expr_nondett(lhs.type());
rhs.location()=target->location;
assignment->code=code_assignt(lhs, rhs);
args++;
break;
}
}
}
}
else // non-const format string
{
for(unsigned i=argument_start_inx; i<arguments.size(); i++)
{
const typet &arg_type=ns.follow(arguments[i].type());
// Note: is_string_type() is a `good guess' here. Actually
// any of the pointers could point into an array. But it
// would suck if we had to invalidate all variables.
// Luckily this case isn't needed too often.
if(is_string_type(arg_type))
{
goto_programt::targett assertion=dest.add_instruction();
assertion->location=target->location;
assertion->location.set("property", "string");
std::string comment("format string buffer overflow in ");
comment += function_name;
assertion->location.set("comment", comment);
// as we don't know any field width for the %s that
// should be here during runtime, we just report a
// possibly false positive
assertion->make_assertion(false_exprt());
invalidate_buffer(dest, target, arguments[i], arg_type, 0);
}
else
{
goto_programt::targett assignment = dest.add_instruction(ASSIGN);
assignment->location=target->location;
exprt lhs(ID_dereference, arg_type.subtype());
lhs.copy_to_operands(arguments[i]);
exprt rhs=side_effect_expr_nondett(lhs.type());
rhs.location()=target->location;
assignment->code=code_assignt(lhs, rhs);
}
}
}
}
void string_instrumentationt::invalidate_buffer(
goto_programt &dest,
goto_programt::const_targett target,
const exprt &buffer,
const typet &buf_type,
const mp_integer &limit)
{
irep_idt cntr_id="string_instrumentation::$counter";
if(symbol_table.symbols.find(cntr_id)==symbol_table.symbols.end())
{
symbolt new_symbol;
new_symbol.base_name="$counter";
new_symbol.pretty_name=new_symbol.base_name;
new_symbol.name=cntr_id;
new_symbol.mode=ID_C;
new_symbol.type=size_type();
new_symbol.is_state_var=true;
new_symbol.is_lvalue=true;
new_symbol.is_static_lifetime=true;
symbol_table.move(new_symbol);
}
const symbolt &cntr_sym=ns.lookup(cntr_id);
// create a loop that runs over the buffer
// and invalidates every element
goto_programt::targett init=dest.add_instruction(ASSIGN);
init->location=target->location;
init->code=code_assignt(cntr_sym.symbol_expr(), gen_zero(cntr_sym.type));
goto_programt::targett check=dest.add_instruction();
check->location=target->location;
goto_programt::targett invalidate=dest.add_instruction(ASSIGN);
invalidate->location=target->location;
goto_programt::targett increment=dest.add_instruction(ASSIGN);
increment->location=target->location;
exprt plus(ID_plus, unsigned_int_type());
plus.copy_to_operands(cntr_sym.symbol_expr());
plus.copy_to_operands(gen_one(unsigned_int_type()));
increment->code=code_assignt(cntr_sym.symbol_expr(), plus);
goto_programt::targett back=dest.add_instruction();
back->location=target->location;
back->make_goto(check);
back->guard=true_exprt();
goto_programt::targett exit=dest.add_instruction();
exit->location=target->location;
exit->make_skip();
exprt cnt_bs, bufp;
if(buf_type.id()==ID_pointer)
bufp = buffer;
else
{
index_exprt index;
index.array()=buffer;
index.index()=gen_zero(index_type());
index.type()=buf_type.subtype();
bufp = address_of_exprt(index);
}
exprt deref(ID_dereference, buf_type.subtype());
exprt b_plus_i(ID_plus, bufp.type());
b_plus_i.copy_to_operands(bufp);
b_plus_i.copy_to_operands(cntr_sym.symbol_expr());
deref.copy_to_operands(b_plus_i);
check->make_goto(exit);
if(limit==0)
check->guard=
binary_relation_exprt(cntr_sym.symbol_expr(), ID_ge,
buffer_size(bufp));
else
check->guard=
binary_relation_exprt(cntr_sym.symbol_expr(), ID_gt,
from_integer(limit, unsigned_int_type()));
exprt nondet=side_effect_expr_nondett(buf_type.subtype());
invalidate->code=code_assignt(deref, nondet);
}
void c_typecheck_baset::typecheck_type(typet &type)
{
// we first convert, and then check
{
ansi_c_convert_typet ansi_c_convert_type(get_message_handler());
ansi_c_convert_type.read(type);
ansi_c_convert_type.write(type);
}
if(type.id()==ID_already_typechecked)
{
// need to preserve any qualifiers
c_qualifierst c_qualifiers(type);
c_qualifiers+=c_qualifierst(type.subtype());
bool packed=type.get_bool(ID_C_packed);
exprt alignment=static_cast<const exprt &>(type.find(ID_C_alignment));
irept _typedef=type.find(ID_C_typedef);
type=type.subtype();
c_qualifiers.write(type);
if(packed)
type.set(ID_C_packed, true);
if(alignment.is_not_nil())
type.add(ID_C_alignment, alignment);
if(_typedef.is_not_nil())
type.add(ID_C_typedef, _typedef);
return; // done
}
// do we have alignment?
if(type.find(ID_C_alignment).is_not_nil())
{
exprt &alignment=static_cast<exprt &>(type.add(ID_C_alignment));
if(alignment.id()!=ID_default)
{
typecheck_expr(alignment);
make_constant(alignment);
}
}
if(type.id()==ID_code)
typecheck_code_type(to_code_type(type));
else if(type.id()==ID_array)
typecheck_array_type(to_array_type(type));
else if(type.id()==ID_pointer)
typecheck_type(type.subtype());
else if(type.id()==ID_struct ||
type.id()==ID_union)
typecheck_compound_type(to_struct_union_type(type));
else if(type.id()==ID_c_enum)
typecheck_c_enum_type(type);
else if(type.id()==ID_c_enum_tag)
typecheck_c_enum_tag_type(to_c_enum_tag_type(type));
else if(type.id()==ID_c_bit_field)
typecheck_c_bit_field_type(to_c_bit_field_type(type));
else if(type.id()==ID_typeof)
typecheck_typeof_type(type);
else if(type.id()==ID_symbol)
typecheck_symbol_type(type);
else if(type.id()==ID_vector)
typecheck_vector_type(to_vector_type(type));
else if(type.id()==ID_custom_unsignedbv ||
type.id()==ID_custom_signedbv ||
type.id()==ID_custom_floatbv ||
type.id()==ID_custom_fixedbv)
typecheck_custom_type(type);
else if(type.id()==ID_gcc_attribute_mode)
{
// get that mode
irep_idt mode=type.get(ID_size);
// A list of all modes ist at
// http://www.delorie.com/gnu/docs/gcc/gccint_53.html
typecheck_type(type.subtype());
typet underlying_type=type.subtype();
// gcc allows this, but clang doesn't; it's a compiler hint only,
// but we'll try to interpret it the GCC way
if(underlying_type.id()==ID_c_enum_tag)
{
underlying_type=
follow_tag(to_c_enum_tag_type(underlying_type)).subtype();
assert(underlying_type.id()==ID_signedbv ||
underlying_type.id()==ID_unsignedbv);
}
if(underlying_type.id()==ID_signedbv ||
underlying_type.id()==ID_unsignedbv)
{
bool is_signed=underlying_type.id()==ID_signedbv;
typet result;
if(mode=="__QI__") // 8 bits
result=is_signed?signed_char_type():unsigned_char_type();
else if(mode=="__byte__") // 8 bits
result=is_signed?signed_char_type():unsigned_char_type();
else if(mode=="__HI__") // 16 bits
result=is_signed?signed_short_int_type():unsigned_short_int_type();
else if(mode=="__SI__") // 32 bits
result=is_signed?signed_int_type():unsigned_int_type();
else if(mode=="__word__") // long int, we think
result=is_signed?signed_long_int_type():unsigned_long_int_type();
else if(mode=="__pointer__") // we think this is size_t/ssize_t
result=is_signed?signed_size_type():size_type();
else if(mode=="__DI__") // 64 bits
{
if(config.ansi_c.long_int_width==64)
result=is_signed?signed_long_int_type():unsigned_long_int_type();
else
{
assert(config.ansi_c.long_long_int_width==64);
result=
is_signed?signed_long_long_int_type():unsigned_long_long_int_type();
}
}
else if(mode=="__TI__") // 128 bits
result=is_signed?gcc_signed_int128_type():gcc_unsigned_int128_type();
else if(mode=="__V2SI__") // vector of 2 ints, deprecated by gcc
result=
vector_typet(
is_signed?signed_int_type():unsigned_int_type(),
from_integer(2, size_type()));
else if(mode=="__V4SI__") // vector of 4 ints, deprecated by gcc
result=
vector_typet(
is_signed?signed_int_type():unsigned_int_type(),
from_integer(4, size_type()));
else // give up, just use subtype
result=type.subtype();
// save the location
result.add_source_location()=type.source_location();
if(type.subtype().id()==ID_c_enum_tag)
{
const irep_idt &tag_name=
to_c_enum_tag_type(type.subtype()).get_identifier();
symbol_tablet::symbolst::iterator entry=
symbol_table.symbols.find(tag_name);
assert(entry!=symbol_table.symbols.end());
entry->second.type.subtype()=result;
}
type=result;
}
else if(underlying_type.id()==ID_floatbv)
{
typet result;
if(mode=="__SF__") // 32 bits
result=float_type();
else if(mode=="__DF__") // 64 bits
result=double_type();
else if(mode=="__TF__") // 128 bits
result=gcc_float128_type();
else if(mode=="__V2SF__") // vector of 2 floats, deprecated by gcc
result=vector_typet(float_type(), from_integer(2, size_type()));
else if(mode=="__V2DF__") // vector of 2 doubles, deprecated by gcc
result=vector_typet(double_type(), from_integer(2, size_type()));
else if(mode=="__V4SF__") // vector of 4 floats, deprecated by gcc
result=vector_typet(float_type(), from_integer(4, size_type()));
else if(mode=="__V4DF__") // vector of 4 doubles, deprecated by gcc
result=vector_typet(double_type(), from_integer(4, size_type()));
else // give up, just use subtype
result=type.subtype();
// save the location
result.add_source_location()=type.source_location();
type=result;
}
else if(underlying_type.id()==ID_complex)
{
// gcc allows this, but clang doesn't -- see enums above
typet result;
if(mode=="__SC__") // 32 bits
result=float_type();
else if(mode=="__DC__") // 64 bits
result=double_type();
else if(mode=="__TC__") // 128 bits
result=gcc_float128_type();
else // give up, just use subtype
result=type.subtype();
// save the location
result.add_source_location()=type.source_location();
type=complex_typet(result);
}
else
{
error().source_location=type.source_location();
error() << "attribute mode `" << mode
<< "' applied to inappropriate type `"
<< to_string(type) << "'" << eom;
throw 0;
}
}
// do a mild bit of rule checking
if(type.get_bool(ID_C_restricted) &&
type.id()!=ID_pointer &&
type.id()!=ID_array)
{
error().source_location=type.source_location();
error() << "only a pointer can be 'restrict'" << eom;
throw 0;
}
}
typet cegis_default_integer_type()
{
return unsigned_int_type();
}
typet get_type(const format_tokent &token)
{
switch(token.type)
{
case format_tokent::INT:
switch(token.length_modifier)
{
case format_tokent::LEN_h:
if(token.representation==format_tokent::SIGNED_DEC)
return signed_char_type();
else
return unsigned_char_type();
case format_tokent::LEN_hh:
if(token.representation==format_tokent::SIGNED_DEC)
return signed_short_int_type();
else
return unsigned_short_int_type();
case format_tokent::LEN_l:
if(token.representation==format_tokent::SIGNED_DEC)
return signed_long_int_type();
else
return unsigned_long_int_type();
case format_tokent::LEN_ll:
if(token.representation==format_tokent::SIGNED_DEC)
return signed_long_long_int_type();
else
return unsigned_long_long_int_type();
default:
if(token.representation==format_tokent::SIGNED_DEC)
return signed_int_type();
else
return unsigned_int_type();
}
case format_tokent::FLOAT:
switch(token.length_modifier)
{
case format_tokent::LEN_l: return double_type();
case format_tokent::LEN_L: return long_double_type();
default: return float_type();
}
case format_tokent::CHAR:
switch(token.length_modifier)
{
case format_tokent::LEN_l: return wchar_t_type();
default: return char_type();
}
case format_tokent::POINTER:
return pointer_type(void_type());
case format_tokent::STRING:
switch(token.length_modifier)
{
case format_tokent::LEN_l: return array_typet(wchar_t_type(), nil_exprt());
default: return array_typet(char_type(), nil_exprt());
}
default:
return nil_typet();
}
}
